Adobe Experience Manager Sites & More

HrdRck · 4/3/22

Hello Experts,

I am new to AEM and would like to know if this new vulnerability spring4shell can affect our system/servers.

There's no public-facing component of AEM. The content from AEM is "copied" over HTTP to the 2 IIS web servers in the DMZ.

We had fixed log4shell issue few months back. But, I am not sure about spring4shell is affecting AEM servers.

Can anyone provide inputs on this issue.

Thanks!

kautuk_sahni · 4/27/22

We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.

Kautuk Sahni

View solution in original post

Raja-kp · 4/4/22

@HrdRck

1.Any application is using Spring on Java 9 or newer, especially TomCat servers are impacted (Java 8 does not appear to be vulnerable)
2.Recommend upgrading your software to Spring Framework 5.3.18.
3.Check the version under bundles console if you are using that functionality.

Regards,

Raja

abdellah · 4/6/22

Hello,

AEM includes the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) with spring-webmvc-5.2.3.RELEASE as an embeded dependency.

I didn't yet find any relevant answer if an AEM instance running on java 11 is impacted or not to CVE-2022-22965

Regards

efwalko · 4/12/22

@Raja-kp does Adobe have any available patches or communications regarding the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) mentioned by @abdellah?

HrdRck · 4/12/22

Our AEM instance is running on Java 8. Do you know if that is impacted?

Although I see spring-webmvc-3.2.17.RELEASE.jar within Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) bundle. That bundle is active with 1.3.58 version.

VeenaVikraman · 4/26/22

@kautuk_sahni Would you please help if there is any patch coming out to fix this issue. This has been reported as a vulnerability from our security team also. A fix is highly requested.

kautuk_sahni · 4/26/22

I have asked the internal experts to get back here.

Kautuk Sahni

kautuk_sahni · 4/27/22

We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.

Adobe Experience Manager Sites & More

spring4shell vulnerability

Kautuk Sahni

Kautuk Sahni

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe